Getting Serious About Security

Over the last couple of years we’ve seen two high profile data breaches. In September of 2011, a hacker was able to gain access to Experian credit report users by infiltrating Abilene Telco Credit Union. In October of 2012, The SC Department of Revenue had over 70 gigabytes of data containing tax returns dating back to 1998 stolen.

Initially, it was thought that a hacker somehow tunneled into the networks through un-patched systems. Now it is believed that malware installed on an employee’s computer caused both breaches.

This begs the question: how did malware get onto a company computer? IT departments are fanatical about keeping their anti-virus software updated. They also use firewalls, spam filters and other appliances to safeguard their networks. But all of this can be for naught if a single employee clicks on a curious link in an email they received.

Employee education on computer security is minimal at best. Usually it consists of a company-wide email and/or a page in the employee manual/portal. This has got to change. Everyone at your credit union should be required to go through security training. Everyone is a target, from the tellers to the CEO. IT staff shouldn’t be excluded either. In the SC DOR instance, it is suspected that an IT worker was the cause of the breach.

And spoofing emails is pretty trivial also. For a majority of credit unions, I’m sure their email addresses have one of these formats:

1. gpasley@yourcu.org

2. pasleyg@yourcu.org

3. george@yourcu.org

4. george.pasley@yourcu.org

All a hacker has to do is send a test email to one of your officers, whose names are listed on your “About Us” page. Once they have the correct format, they can then spoof it from another officer to make it look legitimate. Are you sure your employees wouldn’t click on a link sent from a higher up?

Customer data is the new digital currency. Financial institutions have a treasure trove of information, and most of it isn’t encrypted. All one needs is a couple of usernames and passwords to have access to it all. Safeguarding that information is your duty. Training your staff on how to keep it safe should be a high priority. Taking care of your data is the best way you can show your members your superior service.

George Pasley
George Pasley is the founder of iMazuma, a web software company based in Charleston, SC. iMazuma specializes in back office automation software and recently launched FS Vendors, an online financial services vendor directory. You can follow iMazuma at @imazumahq and George at @gpasley